X-Git-Url: https://wimlib.net/git/?p=wimlib;a=blobdiff_plain;f=src%2Fwin32_capture.c;h=0dbbf38e806a12c3479e40609e27865bda2b205a;hp=e818eebc59c0253129d0d0a9d21f5312dc278be0;hb=42172f81213121f379563919114d4897d816134b;hpb=f25a0797a77b9460bb8a645e83a664b4f0caddf1

diff --git a/src/win32_capture.c b/src/win32_capture.c
index e818eebc..0dbbf38e 100644
--- a/src/win32_capture.c
+++ b/src/win32_capture.c
@@ -263,7 +263,7 @@ winnt_get_short_name(HANDLE h, struct wim_dentry *dentry)
 }
 
 /*
- * Load the security descriptor of a file into the corresponding inode, and the
+ * Load the security descriptor of a file into the corresponding inode and the
  * WIM image's security descriptor set.
  */
 static NTSTATUS
@@ -278,10 +278,27 @@ winnt_get_security_descriptor(HANDLE h, struct wim_inode *inode,
 	ULONG len_needed;
 	NTSTATUS status;
 
-	requestedInformation = DACL_SECURITY_INFORMATION |
+	/*
+	 * LABEL_SECURITY_INFORMATION is needed on Windows Vista and 7 because
+	 * Microsoft decided to add mandatory integrity labels to the SACL but
+	 * not have them returned by SACL_SECURITY_INFORMATION.
+	 *
+	 * BACKUP_SECURITY_INFORMATION is needed on Windows 8 because Microsoft
+	 * decided to add even more stuff to the SACL and still not have it
+	 * returned by SACL_SECURITY_INFORMATION; but they did remember that
+	 * backup applications exist and simply want to read the stupid thing
+	 * once and for all, so they added a flag to read the entire security
+	 * descriptor.
+	 *
+	 * Older versions of Windows tolerate these new flags being passed in.
+	 */
+	requestedInformation = OWNER_SECURITY_INFORMATION |
+			       GROUP_SECURITY_INFORMATION |
+			       DACL_SECURITY_INFORMATION |
 			       SACL_SECURITY_INFORMATION |
-			       OWNER_SECURITY_INFORMATION |
-			       GROUP_SECURITY_INFORMATION;
+			       LABEL_SECURITY_INFORMATION |
+			       BACKUP_SECURITY_INFORMATION;
+
 	buf = _buf;
 	bufsize = sizeof(_buf);
 
@@ -339,7 +356,9 @@ winnt_get_security_descriptor(HANDLE h, struct wim_inode *inode,
 			if (requestedInformation & SACL_SECURITY_INFORMATION) {
 				/* Try again without the SACL.  */
 				stats->num_get_sacl_priv_notheld++;
-				requestedInformation &= ~SACL_SECURITY_INFORMATION;
+				requestedInformation &= ~(SACL_SECURITY_INFORMATION |
+							  LABEL_SECURITY_INFORMATION |
+							  BACKUP_SECURITY_INFORMATION);
 				break;
 			}
 			/* Fake success (useful when capturing as